Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

Sheela
Path Finder
‎09-19-2011 02:34 PM

I want to create report for events whose field names haven't been extracted. I have SSH logs of the format "Accepted publickey for user XYZ" , "Accepted publickey for user ABC" and so on. I want to collect statistics for XYZ and other users. When I test an extraction, I get a javascript error on page which says invalid argument. Even if I save a field extraction, I'm not able to use it in my search. Can someone please tell me how to go about it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎09-19-2011 10:48 PM

I am not sure why you getting java script error maybe an issue with your browser...

There are several methods to extract fields:

First i usually use erex to see what regex will catch my field values:

... | erex user examples="XYZ, ABC" counterexamples="99/2"

Then it will give me a regex which i would use in rex command:

... | rex field=_raw "Accepted\spublickey\sfor\suser\s(?<user>.*[^\s]) "

Then I Use the Field extractions page in Manager.

Here you will find all the methods to extract fields : Fields and field extractions

View solution in original post

Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎09-19-2011 10:48 PM

I am not sure why you getting java script error maybe an issue with your browser...

There are several methods to extract fields:

First i usually use erex to see what regex will catch my field values:

... | erex user examples="XYZ, ABC" counterexamples="99/2"

Then it will give me a regex which i would use in rex command:

... | rex field=_raw "Accepted\spublickey\sfor\suser\s(?<user>.*[^\s]) "

Then I Use the Field extractions page in Manager.

Here you will find all the methods to extract fields : Fields and field extractions

Reply
Solved! Jump to solution

Sheela
Path Finder
‎09-21-2011 08:43 AM

That worked perfectly! Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...